GandCrab ransomware continues to evolve

GandCrab, a ransomware sample that, in under half a year, is becoming the most widely distributed ransomware among illegal hacking forums, is continuing to evolve.

Not only is GandCrab spreading way too fast, it's already seeding itself within legitimate Web sites.

Security giant Fortinet recently discovered a new version, GandCrab 4.1, in the wild, only two days after the previous version 4 was discovered.

The new version is being spread through compromised Web sites that have been crafted to look like download sites for cracked applications. It has also added a network communication tactic that was not observed in the previous version.

Old dog, new tricks

As with the previous version, 4.1 uses the faster Salsa2.0 stream cipher to encrypt data, instead of the RSA-2048 encryption used in GandCrab's first iterations. The major difference in this new version is that it contains an 'unusually long', hard-coded list of Web sites to which the malware connects.

Once connected to one of the URLs on the list, GandCrab sends it data, including the IP address, username, computer name, operating system and network domain. However, if it's there, it will also send a list of all installed anti-malware solutions on the system, from the infected system.

However, Fortinet says there isn't any evidence that any one of the Web sites on the hard-coded list has actually been compromised to act as servers or download sites for GandCrab.

"Even more curious is the fact that sending victim information to all live hosts in the list is illogical in a practical sense, given that a single successful send would have been enough for its purposes. With these points in mind, we have started to think that this function is either experimental or simply there to divert analysis, and that the URLs included in the list are just victims of bad humour," adds Fortinet.

Extremely active

The authors behind GandCrab are extremely active and have released at least five versions of the ransomware to date, which was first discovered in January 2018.

Although there are no significant differences between any two versions of this malware, the frequent changes show that the threat actors behind GandCrab are willing to invest in maintaining and developing it.

"GandCrab ransomware attacks are some of the most prevalent ransomware threats of 2018. In recent months, the GandCrab attackers were able to infect more than 50 000 victims and generate over $600 000 in ransom payments from victims," says Securonix, whose Threat Research Team has been actively investigating and closely monitoring these attacks.

According to Securonix, there are multiple variants of the GandCrab ransomware using different infiltration vectors, including 4.1's use of compromised Web sites as the main infiltration vector.

Other common known infiltration vectors used by the ransomware variants include phishing e-mails containing specially tailored Microsoft Word documents or RTF attachments with macro or OLE content that cause malicious obfuscated VB stagers to be dropped and executed, as well as exploit kits including RIG EK, GrandSoft EK, and Magnitude EK.

An ounce of prevention

In order to help prevent or mitigate these attacks, Securonix recommends businesses review their backup version retention policies and make sure that all backups are stored in a location that cannot be accessed or encrypted by ransomware, such as remote write-only backup locations.

Secondly, it advises organisations to implement an end-user security training programme, as ransomware primarily targets end-users, and it is crucial for them to be aware of this scourge and how it happens.

Once infected, after containment, the company advises organisations to use a free tool that is able to decrypt the sensitive data encrypted by some of the earlier GandCrab ransomware variants. One can be downloaded here.

For Windows systems, businesses should consider enabling and auditing controlled folder access or turn on the protected folders feature.